Achieving Compliance: Electronic Devices in Your Practice

Join Jason Karn of Total HIPAA Compliance and Dan Brown of Taylor English as they discuss the use of electronic devices in your practice in this informative webinar.

Earlier in this series, we covered How to Prepare for a HIPAA Audit and offered tips for Updating Your Plan & Training Your Staff. In our final two webinars, we'll discuss tips for Preventing a Security Breach, and How to Respond to a Security Breach if one occurs.

For links to the software recommendations mentioned in this presentation, please see the Q&A section. 



Download the Slide Deck


HIPAA Resources



Q: Can you reuse or dispose of a device that has PHI stored on it?

A: Yes, you can reuse those devices. You can donate those devices. Again, it's all about making sure that you erase them and making sure that you erase them securely. I know on the Mac system, and also Windows system, there's a way to erase the drive and do a secure erase, and you want to make sure you do that. You want to override it at least once. I would recommend that you override it a couple times just to make sure that information is no longer accessible, and that should be fine.​

Q: Is encryption required under HIPAA?

A: It is not required, but you do have that extra benefit from HIPAA that says, "Hey, if the device is encrypted and the key is not with it and you have the password protection on, any lost devices are not considered a breach." That gives you that extra protection as a owner of a practice or as a physician in a practice or even as a nurse in a practice. That gives you that peace of mind, because we all ... They call them accidents for a reason. People lose things. Things are stolen. I really would stress that you encrypt those devices, even though it's not explicitly required by HIPAA, but I think you'll find, when you go through that risk assessment, that it is appropriate and should be implemented into the practice.​

Q: Does password protection mean the same thing as encryption?

A: No. They do not mean the same thing. Password protection stops you from getting in. Encryption means that information has been turned into a random 1s and 0s. You could have password protection on and not have the device encrypted. You can run into issues with that. Somebody is trying to access the information, and they can pop the drive out. The can do a lot of backdoor attempts to get in to your devices. Encryption is separate, and the 2 go hand in hand when it comes to protecting your device.

Q: If your email and messaging programs are encrypted, does this mean your device is encrypted as well?

A: No, that's separate from your actual setting application into a program, so that information yes it would be encrypted within that program, but the device itself would not be encrypted unless it was explicitly turned on.

Q: How often should a practice update their list of electronic devices?

A: I recommend updating probably quarterly, maybe twice a year. Anytime there is a major change in devices or operating systems. It's very important to keep a running list of everything you have. That's part of your disaster recovery plan. As we stated, that was part that's required by HIPAA. It also helps if there is an issue at insurance time and lets you know what devices you absolutely have to have if you say you had a buyer, knowing how to get back up and running as quickly as possible. Saying, "Okay. We need these mobile devices. We need to make sure we have these servers in place." Whatever you need, you need to make sure is documented as part of that plan.

Q: Is my personal Gmail account encrypted?

A: No. Gmail is not a HIPAA compliant and is not acceptable for transmitting PHI. Now, there's Google Apps, and they will sign a BAA which you have to have, but my concern with Google Apps is they don't require the authentication, so if you send me an email through Google Apps, it doesn't require me to login to look at that information. 

Q: Do you have any recommendations for security and antivirus programs?

A: Email encryption: For ease of use and for cost, I really like Virtru. They have a really nice program, both for authentication and encryption. Citrix has got a nice mail program for that, too. Luxsci is another great email encryption company. They also do HIPAA compliance web hosting, for things like taking information from your patients via a web portal. It's a really nice program and quite affordable, also. Then, there's the industry standard which is ZixMail. That's used by lots of big hospitals and by the federal government. But that's usually not a great solution for smaller companies as it can be costly. They primarily like to work with larger groups and you have to go through a reseller, which can be a little bit cumbersome, but it is a nice program.

Internal encryption: I recommend BitLocker for Windows and FileVault 2, for Mac. For Android, iPhones, and Windows phones, they all have internal encryption. For iPhones, it actually defaults, or it encrypts all information. Just make sure you're encrypting those backups. In iTunes, there's a checkbox for encrypting backups, so encrypt those and password protect those. 

Texting: In the next, week and a half, two weeks, I'm going to be putting out a white paper, on HIPAA compliant texting programs, because we did one on file-sharing. One of the industry standards is TigerText. Another one that's really nice is Cotap. It's quite affordable and they will integrate with your EHR, so your messages can become part of your health record. 

File sharing: There's quite a few options available, but I like Citrix's ShareFileSookasa has a really nice platform for that, and Box has a really nice web app. The nice thing about Box is that you can designate control. You can say, hey, Bob stopped working for me, he quit yesterday. Let me deny him access to patient files that were in this Box file. You can turn those controls on and off, which is very helpful. You want to be able to manage those devices. You can do that through Find My iPhone for Apple devices, or on the native apps for Android and Windows phones. If you're looking for something on the enterprise level, there's a program called Prey, that allows you to track devices and will also allow you to lock those down.

Virus protection: There's a whole host out there, but Kaspersky is a nice one. I would Google, look around, and see what your IT professional recommends. Symantec offers one and AVG has one that's really nice as well. 

Q: Do you have a recommendation for where I can find a template for a BYOD policy?

A: Yes, through Total HIPAA. As part of our HIPAA Prime initiative that we've just launched, we can create your privacy and security policies and procedures, help you run through a thorough risk assessment, and as part of that, we do have a Bring Your Own Device (BYOD) Policy and also a confidentiality agreement that you can have all of your employees sign off on. 




Kevin McCarthy:  Thanks again for joining us for our third Webinar in the Achieving Compliance Series. This one is about electronic devices in your practice. We're happy to have Jason Karn of Total HIPAA Compliance and Dan Brown of Taylor English back with us today. With that, I'm going to turn it over to Jason, and we'll get started.

Jason Karn: Hi everybody. My name is Jason Karn, and I'm the chief compliance officer over here at Total HIPAA Compliance. Just a little bit about what we do, my company, we work with medical and dental practices. Also, employer business associates and insurance agents, and we make sure you will have a properly documented HIPAA Compliance plan, and we also have industry-specific training. Without further ado, I'm going to pass on to Dan Brown here. He's going to get us started here. So, Dan ...

Dan Brown:  Hey. Good afternoon and good morning, everyone. My name is Dan Brown. I'm an attorney with the law firm of Taylor English Duma in Atlanta, Georgia. I have been practicing healthcare law for over 25 years and worked with all types of clients doing HIPAA compliance and corporate mergers and acquisitions. I'm delighted to be here today, and I'll just go ahead and get started. You'll see, I guess from my housekeeping slide, that I'm a lawyer, but I'm not your lawyer today. Our intent today is just to give you a general overview of some of the technical and legal aspects of dealing personal mobile devices and other electronic devices in your practice. Nothing we say here is intended to create an attorney-client relationship or otherwise constitute legal advice, and remember, things do change quickly in this area so you may need to have someone take a look and make sure you're up to snuff.

Electronic Devices

Dan Brown : Let's look at electronic devices and see what exactly are we talking about here. What type of electronic devices does your practice use? You may be surprised, you can see that we have big broad categories of servers, phone, tablets, and computers. That includes all of your network appliances, that means a WiFi routers, a firewall appliances. If you contract with the Cloud, that would be having the cloud basically part of your obligation to secure information as part of your practice even though it's not on site. What do you have that you can touch in your office? You have the servers, then you have the big broad phones and tablets. These are all mobile devices, they include watches, iPhones, iPads.

In the medical field, it's becoming much more common for physicians and medical assistants to review and schedule their patients right there on their iPhones. You're one of the risk of have carrying around that information and then transmitting that information over the Cloud. We'll talk a little bit about that. Then there's computers, you've got your computers, and you've got your laptops. Then there's this the whole category of ancillary devices that you might not even consider is being a repository of protected health information. Let me give you a quick example. Think about the scanners that you're using or the fax machines, or photocopiers for example. To the extent, modern photocopiers and fax machines and others take a digital images of whatever it is you're intending to copy or send.

Those images are stored on a hard drive. Sure enough, unless you think about your photocopier as a little computer, if your photocopier goes off lease, all of your protected health information on the hard drive goes with it. True story, several years ago, CBS went and got a photocopier that just come off lease. They took it into their office, somehow they got into a hard drive and found hundreds of thousands of medical records. It turned out that the photocopier had been used by a healthy system. When it went off lease, nobody thought to look into the hard drive of the photocopier to see if it was necessary to scrub the hard drive.

Next time you go to your copier less or you might want to say, listen what happens to the hard drive when this will come off lease? Is there any way that we can wipe it and make sure we have something in our records to show that we did wiped it before we return the photocopier back over.

Benefits of Electronic Devices

Dan Brown: If we take a look at one of the benefits of electronic devices, we are to the point now where we just can't live without them, right? We can use electronic health records now that we could never do before and transmit them far and wide over our mobile devices. We've got great flexibility with the telephones. Improved communication with the mobile devices. Obviously, if you have the opportunity to talk to your patients at 10:00 at night through an email or 6:00 in the morning before rounds start, much easier to do. You have an opportunity to have remote access and monitoring of your patients. Again, we have all types of protected health information being stored in these devices and being sent by telemetry to you on your mobile devices. Obviously, there are increased access to research involved, but ...

Issues with Electronic Devices

Dan Brown: For all this ease of use, we have these issues with electronic devices. One thing to think about as you consider your use of these devices in your practice, particularly with bring-your-own devices ... these are the hand-held mobile iPhones, laptops, everyone walks around with. Does your company or practice have a bring-your-own-device policy? Does it require, for example, that all emails that relate to the practice only go through the secure practice email domain name? I've got clients all the time who send me emails from their own personal email account. Well, it's unclear whether or not that information has - if it's protected health information - has run through the proper security that the practice has bought with its own email server. So those are things to think about as you go forward.

Your policy that you adopt should also talk about making sure that everyone is tied to the home base, if you will. By this, I mean let's say an update has come with your software. If not everyone is on the same platform as required by the policy, then folks who need to get an update on the software might not get it and that might impede the ability to go ahead and communicate properly. Your policy should, along with your HIPAA policy, take into consideration what to do about hacks and cyber attacks, and you policy should also make sure that your employees have the ability to know what their responsibilities are vis-à-vis their devices and social media and your practice. All those things are important to have in your policy and if, for example, an employee fails to abide by it, there needs to be some type of disciplinary action against the employee to make sure you're enforcing your policy properly.

We can see that these things are extremely, extremely pervasive in the medical practice. You'll see that there's lots of physicians who ... In 2011, about 2,000 physicians were surveyed, and 81% of those who were surveyed say that they use their personal mobile device to access PHI, so it's very likely that you are one of those 81% folks who use your device and you want to make sure that your use of the device comports with the HIPAA and your security obligations.

Having said that, I'm going to turn it over now to Jason and let him talk a little bit more about some of the technical aspects of these policies and what you should expect and what you should do as you use these devices in your practice.

Unauthorized Access to PHI

Jason Karn: Great, thank you so much, Dan, I appreciate that. Great information. We all use these mobile devices, we use them everyday, I use my personal device in my business. I'm sure that, as we saw on that last slide, you know, many of you people as you go through your everyday, you allow your nurses, you allow your front desk staff to access information. That's great for, you know, productivity reasons, and really can help with that transfer of information, but then we also have this added risk of unauthorized releases of this PHI, and this is really key, is making sure we're protecting this information. Where do we run into issues?

A lot of it stems from password protection, I know a lot of people turn off their password protection as soon as they get a new phone or a computer, they see it as, "Oh, this is a extra burden. I don't want to take this time. What are the chances this is ever going to leave my area or I'm going to loose this," or whatever. People get very, they become very cocky with this and think that, you know, they don't really need this protection. I'll be the first to tell you I've lost two iPhones, unfortunately myself, and how important that is, that ability to then lock that phone and get rid of that information. Because you have to think not only, do you have access to patient information on these devices, you also have access to your personal information and possibly financial information. There could be, you know, pictures, family pictures, all these things you have to think about when you're using your own personal devices in these networks. Also failure to encrypt these devices.

Encryption is, and I will probably say this another five to ten times in this webinar today, so I apologize if this comes across as pedantic, but encryption is your best friend. This is your get out of jail free card if anything happens. If you were password protected, and the device is encrypted, granted this is as long as the encryption key is not with the device, you do not have to report a lost device as a breach. The HIPAA Law says that anytime encrypted device that's password protected is lost that is not considered a breach because they say essentially there's no real, there's no way that somebody can get into that device. That's a great thing to have and make sure that you're installed, that you have activated on all of your devices. That means, you know, iPhones if they're password protected they're actually natively encrypted, which is a nice thing there. When you're dealing with any of your laptops, and or desktop computers, if you're on Windows, Window 7, it's the Enterprise and Elite versions they have a program called BitLocker.

Use it, it is free, and it will put in, it'll encrypt your drives for you. It's included in Windows 8 and Windows 10. If you're using Mac platform, there's FileVault 2, it's included, it's free. None of these will slow your computer down, the only thing you might run into is that some IT folks don't like these because they can't go scan sector by sector if you have a bad drive, that's why we have backups. It's better to go and access a backup than it is to have the ability to scan sector by sector because if you lose that device, and we covered this in an our earlier webinar. If you have six hundred patients that you serve, and you lose your laptop that is not password protected, and or encrypted, then you have to notify all six hundred patients of that breach, and that gets really expensive really fast.

Other great ways we see the PHI's release, we're looking at unencrypted emails. If you're not using an encrypted email service, it's time to start. Unsecured messaging, if you're using your iMessage or Android messaging platform, those are not considered secure, those are not encrypted, they can be intercepted at any point along the way. Also they popup on your screen, so if your kids get a hold of your phone, spouse, you lose your phone, and they popup on the screen, somebody could be sending you PHI. They can also access that and that's part, so we need to make sure we're using a program outside of that. There's some great ones out there, there's TigerText, you know, there's a whole slew of great programs that are minimal cost, but will protect that information. It's really important that we start, we get out of using these built in chat programs.

Conducting a Risk Assessment

Jason Karn: This brings us to we need to do a risk assessment and we need to identify each of these devices, where the problems might lie, shortcomings are, what we can do to try to patch these holes. In conducting this risk assessment, we need a bring your own device policy. This is what Dan was talking about. We need to make sure that our employees understand what their responsibilities are and if we're allowing those devices on our network.

Again, this is great for productivity if I don't have to carry 3 phones for one for each job or whatever I've got going on, or 2 phones. If I can only use 1 device, that's great, but that also opens me up to a lot of issues if I'm a practice owner, because all of a sudden, my nurses have information that's going to their private device. I don't have necessary direct control of that device at all times. It's important to have that device policy in place.

It can be up to the point of, and in my actually, bring your own device policy, we state that we can actually erase your phone. I think that's a good place to be, because if the phone is lost, you want to be able to say, let's wipe that device. This also applies to tablets and also can apply to laptop machines. You want to be able to control those as much as possible.

In that policy also, you will talk about things like making sure that family members aren't allowed to use these devices on off-hours. You're going to look at making sure that password protection is on, that you're changing those passwords. Allowing biometric use of the iPhone, it's very nice to be able to use the thumbprint to access the phone, but making sure that that is turned on at all times.

The device is encrypted if you're using Android or Windows phones, you need to make sure you actually turn on encryption. I will warn you, before you do that, make sure you back up those phones and device, and do not stop when starting the encryption process. If you do stop the encryption process halfway through, it will basically boot your phone and you will have to restart from scratch and you will not be able to access any information. You'll lose everything that you had. Make sure when you do that that you probably do it overnight and just let it run overnight.

Really think about these items. It's really important that you have this codified and you have your employees sign off on this. With that, we want to talk about also having a mobile device management plan. We want to be able to track these devices. We want to know what information's being accessed, this is where sometimes file sharing programs can be really helpful, because that information will stay on those file sharing applications, like a Citrix file share, Sookasa has a really nice platform for that, goes over Dropbox. Dropbox is not HIPAA compliant, by the way. If anybody's using that, they need to stop that.

Box has a really nice web app. The nice thing about that is you can designate control. You can say, hey, Bob stopped working for me, he quit yesterday. Let me deny him access to patient files that were in this Box file. You can turn those controls on and off, which is very helpful. You want to be able to manage those devices. You can either do that through an Apple find my iPhone, Android has that, Windows has a program like that, if you're looking for something more on the enterprise level, there's a program called Prey, P-R-E-Y, that allows you to track devices and will also allow you to lock those down.

You're going to definitely want a mobile device encryption plan. About encryption, and I'm going to throw in a lot of stuff here, and I'll try to keep this moving as fast as possible, bu there's a lot of information to cover when it comes to mobile devices. When it comes to encrypting your mobile devices, if you're dealing with an Android phone, or Windows phone, or Android tablets, you have to make sure when you turn on that encryption that you also encrypt those SD cards. Those SD cards are not normally encrypted, but you want to make sure that they are, because if you're putting any information on that card, and you then take that card out, that's free game. You want to make sure that encryption is on those cards, in case any PHI gets there.

Also if you decide to pass off any of these devices to your kids or to other family members, make sure you securely wipe those devices. We've talked about this a few times, the password policy. You want to make sure those passwords are difficult. We want to make sure that getting into those devices, it's not 1, 2, 3, 4. Really make sure you're using difficult passwords. They should be at least 6 to 8 characters to get in. Special characters if you can. I know a lot of these are just digits when it comes to the iPhone or whatever. Biometrics are great, thumbprints are fine. Just make sure those are activated and those are constantly on. It should be every time a person turns on that device. If it's going to contain PHI, you want that mobile device to basically every time somebody tries to access that phone, they have to either use their thumbprint or use a password to get in.

You also want to consider these questions. Can the devices leave the office? Most of them leave in our pocket every day. Also, think about if you're using flash drives. I would recommend people start to migrate away from those. Flash drives, any sort of removable media for general use. I think this is where a cloud storage solution like a Sookasa, a Box, Citrix share file, becomes very helpful. Or, accessing, maybe the EHR through a encrypted portal, through either VPN, that's a virtual private network, or using a secure socket layer, which is SSL or HTTPS, that's hyper text transfer protocol secure. That's what that little green lock looks like up in your upper left hand corner when you're looking at a browser.

You want to try to control that data as much as possible, because that's your job. Controlling that data means maybe keeping it on your server or keeping it in the cloud and not letting people download that information on to those devices. What operating systems are you guys using? You want to make sure those are updated constantly. If you're using Windows 7, make sure you're doing those security updates. Windows XP no longer is usable, they're no longer doing updates on those. You need to make sure that you're phasing those computers out.

As the security updates come, make sure you're pushing those right away. Do PHI documents require encryption? I would say they do. It's up to you as you do your risk assessment to make that decision, but I will tell you I've yet to see somebody, and I've done a lot of compliance plans, where I've seen an instance where something should not be encrypted. Yes.

Do you regularly scan your systems for malware? I hope that the answer to that question is yes. We're going to talk a little bit more about some specific examples of this that have been coming up recently, but you want to makes sure that you're updating your malware constantly, that it's scanning for families of viruses, and that you have something that scans anytime you plug in any devices, that's your flash drives, your mobile devices. You want to make sure you're trying to keep malware off as much as possible. Also, when it comes to these email encryption. Make sure you're training your staff to say hey, if we see a unexpected attachment or something that looks a little weird, not to open those emails, no to open those attachments.

Does your email encryption software require authentication of the correct receiving party? This is very important. There are a couple encrypted programs that will encrypt at point to point, but once it gets to the supposed user, that email's automatically unlocked, and there's no authentication that happens. You really want to make sure that the receive is authenticating who they are. Many people share devices at home. You want to make sure that Bob's getting that information and not Bob's son or his wife or whatever. He may allow that information to go to his wife, but let him make that decision instead of just sending it blindly to that person. That goes back to that making sure that that email is encrypted, but yes, they should have to authenticate who they are.

Five Steps to Managing Your Devices

Jason Karn: Managing these mobile devices. Now, they're really ... There are good five steps. Number one is decide whether you're actually going to allow these devices on your network and what you're going to allow them to access. Are you going to allow them to access your EHR? They've got to be able to see patient information. Are you going to allow them to access your calendar? Calendar's going to have patient names on it. That sometimes can have PHI included in it, so you want to make sure that you clearly decided and notated what information you're going to allow on these devices.

Access. What level of access are you going to give to people? How are they going to access it? Again, are we going through a VPN? Are we accessing through HTTPS? How are they going to get that information? How are we making sure that's protected?

Identify. Look and say, "Okay." We want to say, "All right. Identify what devices we're going to allow. Identify what information we're going to let go through." It's very important. This is part of the whole documentation when it comes to your security policies and procedures.

Then as you see, develop, document, and implement. You want to develop those policies. You want to document everything that we've been talking about and then implement it. Really, you want to be able to push that out and say, "Okay. This is how we're going to do this. This is what our password policy is. This is what we're going to do if you do not follow our password policy. You can be retrained. If we find, you know, a second time, that the password protection is off your phone, and you're using your device to access our network, you are going to be suspended for a week."

Make sure those policies are there, they're consistently enforced, and really, this is a very important part, and training. Train your people. They are your front line, and they're also your weakest line when it comes to enforcing HIPAA. They come in contact with so much information. They also need the information, and it's really their responsibility to help you protect your patients and help protect that information and keep it within your practice. So, train. That's annual training. Possibly even quarterly reminders to just say, "Hey, this is what's going on." Little friendly things saying, "When's the last time you changed your passwords not only for the practice but maybe your personal passwords." People get very complacent and very lax about these things.

Tips for Protecting Your Devices

Jason Karn: How do you protect your devices? As we said, you want to use password and other authentication that's biometric. For programs, we recommend using two-factor authentication. There's a great program, Google Authenticator, that works with a lot of programs now that's become a standard. Also two-factors find a text sent to a device, or an email sent to a separate device. Ways that you can authenticate two different ways that it is you. That's really helpful and makes- and keeps those instances of people misusing IDs and passwords, tries to keep that to a minimum.

Install enable encryption on everything. Activate remote wipe and disables. That's very important, as I stated earlier. I've lost, unfortunately, two iPhones. The ability to track them and lock them down, and then subsequently erase them has been, I found, invaluable. I'm sure everybody can commiserate with me, but with the amount of information that we store in these devices now, it's imperative that you're able to track them, wipe them if you need to, but at minimum, be able to lock them down. Disable or do not install file sharing apps, this is only file sharing apps that you, as an employer are allowing on your devices. If you're going to use something like Box, and that's a system that is- everybody that needs to- that's the program you're going to use. You've said, "Okay, we're going to use Sookasa, and we're going to install that on everything," then you need to, basically you need to say, "This is what we're going to install." That's part of the document and how you do things.

So install and enable firewalls. You have software, firewalls, and you have, it's basically software firewalls are included in all devices and all operating systems now when it comes to desktop machines. Make sure those are enabled. Those should be set to white list, which means that it blocks all incoming traffic. And you want to make sure those are enabled at all times. For your practice, you probably want to look at getting a hardware firewall. Again, those should be set to deny access, so if people are trying to access your devices or get in through your network, that will stop a lot of that traffic.

It also can help if you do have an issue with, basically say you do get infected. That will help sometimes with keeping that virus from getting out of your network, too. It can save your clients and whatnot, and stop those kinds of actions happening.

Always, always install and enable those security updates. Those are not there just for fun. I know a lot of people I've talked to don't do those security updates or overlook them. There are a lot of them that come in. If there's a security update that's there, it's there for a reason. It's there to protect you. It's the vulnerability that's been found.

I'll tell you a little story I've been following of some of these hackers that go around and the reasons that these- they come up with these hacks and they publish them is because they find that a lot of these larger companies aren't responsive when somebody says, "Hey, there's a hole." The only time they're responsible, or seem to be responsive is when they find a hack, and they publish it and all of a sudden Apple goes, "Well we need to fix- we need to patch this hole." That's the reason why we have these security updates that come out. That means that that is actually an imminent problem that could happen. Somebody could access your network. It's important as those are discovered that you do have a policy, and you have a standard for putting those in place. Realize that that could take your system down for a bit, so if you can do those over an evening or later in the day when traffic may not be so- you might not have so much traffic in your practice, you want to try to- you can schedule those around those times. You really want to make sure that if a security update comes through, that within about a week that you push those updates.

Tips for protecting your devices. Really research those mobile apps before you download. These days, for the most part, the Apple Store and the Google Play store are really good, and the Windows app store are really good about trying to scan those, but even sometimes they get through there. Make sure you're being really careful about what you're downloading. Is it something that you really need? I know that we all like to play games on our phones, but keep on top of that, and make sure that, "Hey. Do I really need to have these items on?" If it is a device that is maintained by the practice, be that a mobile device, a laptop, you may want to just disable that altogether. You may want to say, "Hey. We're only going to allow certain programs on these devices," and you're well within your rights to do that. Make sure that you basically assess those before that happens.

Maintain the physical control of devices. That's pretty self-explanatory. Adequate security when you're using a public wi-fi, that's where a VPN comes in really handy because you're looking at a situation where that creates an encrypted portal from your device to the EHR, or to another system. Making sure that- using that because if you're in a situation where you're at the library or at the local coffee shop using a network, any time you access a website that doesn't have https on it, which is the hypertext transfer protocol secure on it, that information could be vulnerable and can be read in transit by anybody with minimal hacking skills. That means any passwords you're sending, or anything you're doing could conceivably be intercepted. It's important that you have those because that secure protocol, what that does is puts that secure socket layer over it, encrypts that information in transit. A VPN will take care of that, also. Just be really careful about what you're accessing and what you're doing when you're in public.

Deleting all stored info before discarding or reusing. As Dan talked about with that copier incident, the company did not erase that drive when they turned it back in for lease. Making sure that you overwrite those drives. Don't just say, "erase." You want to do what's called a secure erase. A secure erase actually puts ones and zeros over the device because if you just do an erase, essentially what it does is it takes the headers off. Those files still exist on your drive. Any data recovery person can actually go in and grab those files. Secure erase actually overwrites those ones and zeros, so it basically wipes those clean and erases any of that data. Make sure you're deleting those and doing it properly.

Turning off Bluetooth visibility. That's really helpful. That's something that, generally, we don't think about that very much because we've got the- it's very helpful to have Bluetooth, but there have been a lot of vulnerabilities that we've seen with Bluetooth. Making sure that if you do have it active, that it requires a password to access. For general purposes, if your devices are going to have protected health information, it's a good idea to limit that access through Bluetooth, and not leave it as active passively.

Do not share your mobile devices. Don't share them with friends. Don't share them with family. These are very personal devices and carry very personal information, not only for you but for your practice. It's important to keep those in your possession.

Make sure those devices are registered with your organization. It's important to have mac addresses, as well as IP addresses for those devices, serial numbers, so that you know when something's lost that you can track it as best you can. Also, it helps at times when you're filing for insurance claims. That's very, very helpful.

What is Ransomware?

Jason Karn: I understand we're going to talk a little bit about specifics, and I know you guys have been seeing a lot of this recently. If you haven't, there was a huge breach that happened in a hospital in Los Angeles and they got attacked by a ransom ware. What is a ransom ware? It restricts access to a computer, so you get this random download, somebody sends you a message and it's got an attachment, and you open the attachment, and what it does is it locks your computer and puts a encryption ... Basically encrypts your computer and may say, "You have to send us a certain amount of money in order to unlock your computer." This is a worst scenario nightmare, unfortunately we're seeing a lot of this, and there's been a huge uptick in the last year. We're seeing a lot of people pay for this, and we had one client in this hospital in Los Angeles that actually ended up paying $18,000 in order to unlock their network, and unlock their computers.

Keys to Protecting Your Practice

Jason Karn: This is why it's so important to have that good anti-virus program and make sure that it's updated and constantly being updated. There are new definitions that are coming out daily, sometimes hourly, that identify what these viruses are, what this malware is. Some of these are difficult to get at. They're really looking for families of viruses because people take different bits of code and piece them together. You want to make sure you have that and you update it and it's constantly updated. Making sure your systems are updated. Making sure you're using a proper operating systems that have the most recent security updates.

This also extends to medical practices. I've been seeing some of this. It extends to medical devices. There are a lot of medical devices now that are having issues. You've got infusion pumps. You've got pacemakers that can access your network. It's not a bad idea if those are older, haven't been updated, if you haven't gone through an update protocol for those, it's not a bad idea to isolate those off your main network. That is probably an issue for larger providers. For smaller providers it may not be such a big issue, but it's something to keep aware of.

Make sure that if software updates come from manufactures, to look at ... I know FDA was looking at some infusion devices and recommending that people either upgrade and/or stop allowing them access to their networks, because they were considered a vulnerability. I think part of that problem is they were will running off Window XP. Making sure that you're updating so that you're using modern and updated operating systems.

Again, being cautious of unexpected email attachments. You shouldn't be opening everything willy-nilly. If it's a Zip file, if it's EXE file coming to your PC, it's a good idea to make sure you're deleting those. Before you open attachments, make sure your virus protection is set to scan those. I cannot reiterate this enough, back up regularly. This should be either ongoing; you can do what they call incremental backups, differential backups, but whatever you end up doing, make sure you're backing up and may be have multiple back ups.

For myself personally, I use a cloud backup system as well as use local backups, so that I have different versions. I'm a little bit neurotic about that because I've lost a couple of hard drives along the way. I think I had a 6-month period where I lost 4 hard drives in 6 months. That's a very nerve wracking. Luckily, I had backups and was able to recover all that information. Realizing that hard drives, especially the [types 00:03:02] that we use these days, they are vulnerable. They will fail. If they don't fail within the first 6 months, they usually are pretty good for a while, but then once it gets passed about 2 to 3 years, the rate of failure goes up almost exponentially. You have older drives in your systems, must make sure you're backing those up. You don't necessarily have to replace them right away, but make sure you're definitely backing them up.

Steps to Take After an Attack

Jason Karn: What do you do if you are the victim of an attack? Well, first off is you want to alert law enforcement. They may not be able to help you very much. They may refer you to the FBI, but it's important to let them know what's going on. I know this is embarrassing for everybody, but the reality is that we need to know what's going on. The only way we can helpfully address these things and continue to make progress in addressing these issues is if everybody comes together and says, "You know what? Let's notify and let people know what's going on with us." If you have a device that's infected, that becomes infected, this means that you have random screens popping up, things are happening, get it off your network. Disconnect it from your network immediately. Turn it off. Contact your IT department. See if they can help you out. Don't sit there and see if you can fix it yourself. Just make sure, first and foremost, you get that off your network. Hopefully, you can keep that infection down to one computer or one device and not get it to pervade your entire network.

Remember, if you are the victim of, unfortunately, a ransomware, even if you pay that fine, if you decide that, "Hey, I need to pay this fine," that there's no guarantee that you'll get access back. That's why backups are so important, and as part of HIPAA, with your disaster recovery plan, is making sure you have trained folks who can take those backups and restore systems as needed. That's really important, because again, even if you pay, you may not get access again, and if you do pay, they still have a way in until you've scanned your systems and been able to lock everything down. That's important to make sure that you have a fail safe, that you have a backup plan, and it is actually a required part of HIPAA.


We appreciate your interest and know that maintaining compliance with HIPAA can be a big task. If you're still a bit behind schedule, our partners at Total HIPAA Compliance and Taylor English are available to provide expert HIPAA compliance training and consultation.